From f46ef0b006139e16be551595ab79e87e04435a9e Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Fri, 6 Oct 2017 15:14:41 +0200 Subject: [PATCH 1/5] U4-10506 Importing a specially crafted document type file can cause XXE attack (cherry picked from commit 5dde2efe0d2b3a47d17439e03acabb7ea2befb64) --- .../umbraco/dialogs/importDocumenttype.aspx.cs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs index 27c1724bff..147e7604c1 100644 --- a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs +++ b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs @@ -70,10 +70,11 @@ namespace umbraco.presentation.umbraco.dialogs private void import_Click(object sender, EventArgs e) { var xd = new XmlDocument(); + xd.XmlResolver = null; xd.Load(tempFile.Value); var userId = base.getUser().Id; - + var element = XElement.Parse(xd.InnerXml); var importContentTypes = ApplicationContext.Current.Services.PackagingService.ImportContentTypes(element, userId); var contentType = importContentTypes.FirstOrDefault(); @@ -104,7 +105,8 @@ namespace umbraco.presentation.umbraco.dialogs documentTypeFile.PostedFile.SaveAs(fileName); var xd = new XmlDocument(); - xd.Load(fileName); + xd.XmlResolver = null; + xd.Load(fileName); dtName.Text = xd.DocumentElement.SelectSingleNode("//DocumentType/Info/Name").FirstChild.Value; dtAlias.Text = xd.DocumentElement.SelectSingleNode("//DocumentType/Info/Alias").FirstChild.Value; From fd577afe2c05a95226594ebe26f49e414ef31a70 Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Fri, 6 Oct 2017 14:38:07 +0200 Subject: [PATCH 2/5] Html encode nodenames to prevent XSS attacks. Fixes U4-10497 XSS Vulnerability in page name. (cherry picked from commit fe2b86b681455ac975b294652064b2718d4e2ba2) --- src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs | 2 +- .../umbraco.presentation/umbraco/dialogs/notifications.aspx.cs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs b/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs index 7e09d0b425..ababea628a 100644 --- a/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs +++ b/src/Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs @@ -30,7 +30,7 @@ namespace Umbraco.Web.UI.Umbraco.Dialogs } DocumentId = doc.Id; - PageName = doc.Name; + PageName = Server.HtmlEncode(doc.Name); DocumentPath = doc.Path; } diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs index 97dc8d84d3..9010a70164 100644 --- a/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs +++ b/src/Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs @@ -26,7 +26,7 @@ namespace umbraco.dialogs protected void Page_Load(object sender, EventArgs e) { Button1.Text = ui.Text("update"); - pane_form.Text = ui.Text("notifications", "editNotifications", node.Text, base.getUser()); + pane_form.Text = ui.Text("notifications", "editNotifications", Server.HtmlEncode(node.Text), base.getUser()); } #region Web Form Designer generated code From c5a55b17e6b1a10b92d922c6a21ea5c1d80e9a7a Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Tue, 17 Oct 2017 10:08:37 +0200 Subject: [PATCH 3/5] Manually applying U4-10369: Split out ConfigureUmbracoAuthentication method --- src/Umbraco.Web/UmbracoDefaultOwinStartup.cs | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs index 5773d88f73..61568e3cb8 100644 --- a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs +++ b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs @@ -46,12 +46,8 @@ namespace Umbraco.Web /// protected virtual void ConfigureMiddleware(IAppBuilder app) { - //Ensure owin is configured for Umbraco back office authentication. If you have any front-end OWIN - // cookie configuration, this must be declared after it. + // Configure OWIN for authentication. app - .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate) - .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate) - .UseUmbracoPreviewAuthentication(ApplicationContext, PipelineStage.Authorize) .UseSignalR() .FinalizeMiddlewareConfiguration(); } @@ -68,6 +64,20 @@ namespace Umbraco.Web Core.Security.MembershipProviderExtensions.GetUsersMembershipProvider().AsUmbracoMembershipProvider()); } + /// + /// Configure external/OAuth login providers + /// + /// + protected virtual void ConfigureUmbracoAuthentication(IAppBuilder app) + { + // Ensure owin is configured for Umbraco back office authentication. + // Front-end OWIN cookie configuration must be declared after this code. + app + .UseUmbracoBackOfficeCookieAuthentication(ApplicationContext, PipelineStage.Authenticate) + .UseUmbracoBackOfficeExternalCookieAuthentication(ApplicationContext, PipelineStage.Authenticate) + .UseUmbracoPreviewAuthentication(ApplicationContext, PipelineStage.Authorize); + } + /// /// Raised when the middleware has been configured /// From 461ce64feb031298b78d91e73572391b58a5835a Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Tue, 17 Oct 2017 10:57:18 +0200 Subject: [PATCH 4/5] Bump version to 7.6.10 --- src/SolutionInfo.cs | 4 ++-- src/Umbraco.Core/Configuration/UmbracoVersion.cs | 2 +- src/Umbraco.Web.UI/Umbraco.Web.UI.csproj | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/SolutionInfo.cs b/src/SolutionInfo.cs index a333fa499d..5de3f4ec9a 100644 --- a/src/SolutionInfo.cs +++ b/src/SolutionInfo.cs @@ -11,5 +11,5 @@ using System.Resources; [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyFileVersion("7.6.9")] -[assembly: AssemblyInformationalVersion("7.6.9")] \ No newline at end of file +[assembly: AssemblyFileVersion("7.6.10")] +[assembly: AssemblyInformationalVersion("7.6.10")] \ No newline at end of file diff --git a/src/Umbraco.Core/Configuration/UmbracoVersion.cs b/src/Umbraco.Core/Configuration/UmbracoVersion.cs index 1c1724ae84..26b70ac6b6 100644 --- a/src/Umbraco.Core/Configuration/UmbracoVersion.cs +++ b/src/Umbraco.Core/Configuration/UmbracoVersion.cs @@ -6,7 +6,7 @@ namespace Umbraco.Core.Configuration { public class UmbracoVersion { - private static readonly Version Version = new Version("7.6.9"); + private static readonly Version Version = new Version("7.6.10"); /// /// Gets the current version of Umbraco. diff --git a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj index 15d48f8f1e..9979a69cfb 100644 --- a/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj +++ b/src/Umbraco.Web.UI/Umbraco.Web.UI.csproj @@ -2379,9 +2379,9 @@ xcopy "$(ProjectDir)"..\packages\SqlServerCE.4.0.0.1\x86\*.* "$(TargetDir)x86\" True True - 7690 + 7610 / - http://localhost:7690 + http://localhost:7610 False False From 9411a22a0d90d10ccc9b76a150342cb8cec632b5 Mon Sep 17 00:00:00 2001 From: Sebastiaan Janssen Date: Tue, 17 Oct 2017 11:04:01 +0200 Subject: [PATCH 5/5] Don't forget to call the ConfigureUmbracoAuthentication method --- src/Umbraco.Web/UmbracoDefaultOwinStartup.cs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs index 61568e3cb8..a3b9dac101 100644 --- a/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs +++ b/src/Umbraco.Web/UmbracoDefaultOwinStartup.cs @@ -46,7 +46,9 @@ namespace Umbraco.Web /// protected virtual void ConfigureMiddleware(IAppBuilder app) { - // Configure OWIN for authentication. + // Configure OWIN for authentication. + ConfigureUmbracoAuthentication(app); + app .UseSignalR() .FinalizeMiddlewareConfiguration();